Data networks

ABSTRACT

A network access arrangement for connecting an end user&#39;s computer ( 10 ) to the Internet ( 12 ) includes a network access server ( 16 ) and a proxy server ( 24 ). When an end user requests to be connected to the Internet ( 12 ), the network access server ( 12 ) forwards the access request to the proxy server ( 24 ). The proxy server ( 24 ) authenticates some requests itself but forwards other requests to authentication servers (A, B or C) for authentication. After receiving a response from one of the servers (A, B, or C), the proxy server ( 24 ) forwards the response to the network access server ( 16 ).  
     If the proxy server ( 24 ) does not receive a response from one of the authentication servers (A, B, or C), it follows a default procedure. This can be to authenticate the request in the proxy server ( 24 ) or simply to accept the request. The proxy server ( 24 ) has a counter associated with each of the servers (A, B or C). Each time the proxy server ( 24 ) receives a response from one of the servers (A, B or C), it decrements the appropriate counter. Each time it does not receive a response, it increments the appropriate counter. When one of the counters reaches a threshold value, the proxy server ( 24 ) then follows the default procedure for a pre-set number of requests which would normally be forwarded to the appropriate server. After following the default procedure for this predetermined number of access requests, the proxy server ( 24 ) forwards the next access requests, which would normally be forwarded to the relevant server, to that server.

[0001] This invention relates to a method of processing a request at anaccess server arrangement from a data terminal operated by an end userfor access to a data network, and to a network access server andnetworks including such servers.

[0002] The function of such an access server arrangement is to connect adata terminal, for example a personal computer, operated by an end userto a data network, for example the public Internet. Typically, such anaccess server arrangement comprises a network access server whichreceives access requests and provides connections to a data network andan authentication server which can be accessed by the network accessserver.

[0003] In a simple set up, when a network access server receives anaccess request, it obtains details from the end user relating to the enduser such as a user identifier and a password. It then sends thesedetails to the authentication server which authenticates the request bychecking these details against expected details which have beenpreviously registered by the end user. If the details received from theend user correspond to the expected details, then the request isaccepted and the end user's data terminal is connected to the datanetwork. If the details are not as expected, then the access request isrejected.

[0004] In a modification of the simple set up, for some or all services,the authentication server acts as a proxy server. For each of theseservices, when the proxy server receives an access request from thenetwork access server, it forwards the request to the relevantauthentication server. This authentication server then checks thedetails. If the details received correspond to the expected details,then the authentication server sends an access accept message to theproxy server. If the details are not as expected, then theauthentication servers sends an access reject message back to the proxyserver. The proxy server then forwards the access accept or accessreject message to the network access server. If the network accessserver receives an access accept message, then it connects the dataterminal operated by the end user to the data network. If it receives anaccess reject message, then access to the data terminal is refused.

[0005] However, if an authentication server fails to respond to anaccess request message with either an access accept message or an accessreject message, the consequence can be that the access request messagefrom the data terminal operated by the end user is not dealt with in asatisfactory manner.

[0006] According to a first aspect, the invention provides a method ofprocessing a request at an access server arrangement from a dataterminal operated by an end user for access to a data network, saidmethod comprising the steps of:

[0007] receiving a request from the data terminal at the access serverarrangement for access to the data network;

[0008] in the event that a predetermined criterion is not satisfied:

[0009] (i) attempting to forward the access request to an authenticationserver;

[0010] (ii) if a response is received from the authentication server,dealing with the access request in accordance with the response; and

[0011] (iii) if a response is not received from the authenticationserver, dealing with the access request in accordance with a defaultprocedure; and

[0012] in the event that the predetermined criterion is satisfied,dealing with the access request in accordance with a default procedure.

[0013] This aspect of the invention ensure that access requests arehandled in a satisfactory manner.

[0014] In one embodiment of the invention, the method includes thefollowing steps:

[0015] if a response is not received from an authentication server,changing the value held in a counter by one unit in one direction; and

[0016] if a response is received from an authentication server, changingthe value held in the counter by one unit in the other direction; and

[0017] the predetermined criterion is reached when the value held in thecounter has progressed in said one direction to a predeterminedthreshold.

[0018] Preferably, in the event that the counter has reached saidpredetermined threshold, the method includes the steps of performing thedefault procedure for a predetermined number of times, then changing thevalue held in the counter by one unit in the other direction, and thenmaking an attempt to forward the next access request to theauthentication server.

[0019] This invention will now be described in more detail, by way ofexample, with reference to the drawings in which:

[0020]FIG. 1 is a block diagram showing an access server arrangement forconnecting computers operated by end users to the public Internet;

[0021]FIG. 2 is a graph showing the sequence of operations which arefollowed in the access server arrangement of FIG. 1 in authenticating anaccess request from an end user;

[0022]FIG. 3 is a graph showing the sequence of operations which arefollowed in the access server arrangement of FIG. 1 in providing anaccounting record of an end user's session on the Internet;

[0023]FIG. 4 is a block diagram showing a modification to thearrangement of FIG. 1 in which access requests can be forwarded from aproxy server to three authentication servers;

[0024]FIGS. 5 and 6 are tables which are used by the proxy server ofFIG. 4 in handling access requests;

[0025]FIG. 7 is a flow chart of a series of operations which areperformed by the proxy server of FIG. 4 in handling an access request;

[0026]FIG. 8 is a flow chart of another series of operations which areperformed in the proxy server of FIG. 4 in handling an access request;

[0027]FIG. 9 is a flow chart of a set of operations performed by theproxy server of FIG. 4 when handling an access accept message from anauthentication server; and

[0028]FIG. 10 is a block diagram of another arrangement for connectingcomputers operated by end users to the public Internet.

[0029] Referring now to FIG. 1, there is shown an arrangement forconnecting a data terminal in the form of a computer 10 operated by anend user to the public Internet 12. Although this invention will, by wayof example, be described with reference to the public Internet, it is tobe appreciated that the invention could be used for gaining access toother types of data network. In this specification, the term “end user”indicates an individual person who wishes to use his or her computer togain access to the public Internet or another data network.

[0030] As shown in FIG. 1, the end user's computer 10 can be connectedto the public Internet 12 through the public switched telecommunicationsnetwork (PSTN) 14, a network access server (NAS)16 and a firewall 18. Inthis example, the end user's computer 10 has a modem for converting thedigital signals generated in the computer 10 to modulated analoguesignals for transmission through the PSTN 14 and also for convertingmodulated analogue signals received from the PSTN 14 into digitalsignals for use within the computer 10. The NAS 16 has a bank of modemsfor answering calls from end user's computers. By way of modification,the invention can also be used for providing access to the publicInternet where the connection between the end user's computer and theNAS is digital, for example, using integrated services digital network(ISDN) technology or asynchronous digital subscriber loop (ADSL)technology. Where a digital connection is used, modems are not needed.Network access servers are presently available from several vendorsincluding Cisco, Ascend and Lucent. Another name for a network accessserver is Remote Access Server. For reasons of simplicity, FIG. 1 showsa single network access server. In practice, in order to provide thedesired capacity, there is usually a set of network access servers at asingle location.

[0031] As is well known, in the public Internet 12, data packets arerouted using the wellknown Internet Protocol (IP) and transported usingthe well-known connection-oriented Transmission Control Protocol (TCP).The computer 10, NAS 16 and firewall 18 are all capable of receiving andtransmitting data packets which use these protocols.

[0032] As shown in FIG. 1, the firewall 18 is also connected to aprivate data network 20. A registration server 22, an authentication andaccounting server 24 and a mail server 26 as well as other servers, notshown, are also connected to network 20. In the network 20, data packetsare routed using IP. Between the NAS 16 and the registration server 22and the mail server 26, packets are transported using TCP. However, toavoid delays, between the NAS 16 and the authentication and accountingserver 24, the transport protocol is the well known connectionless UserDatagram Protocol (UDP). The mail server 26 uses two well known higherlevel protocols. Between the mail server 26 and other mail servers, theSimple Message Transport Protocol (SMTP) is used. Between the mailserver 26 and computers operated by end users, Post Office Protocolnumber 3 (POP3) is used. The mail server 26 will not be describedfurther as it does not form part of this invention.

[0033] Between the NAS 16 and the authentication and accounting server24, a higher level protocol known as the Remote Authentication Dial-InUser Service (RADIUS) is used. This protocol is used to pass attributesbetween the NAS 16 and the authentication and accounting server 24. Auser password and a user identifier are examples of such attributes.Each message transmitted using the RADIUS protocol serves a particularpurpose and the purpose is specified in the message. A request for auser to be given access to the Internet 12 is an example of such apurpose. The RADIUS protocol was devised by Livingston Enterprises Inc.and it is becoming an industry standard for Internet accessauthentication and accounting. Authentication is a process of verifyinga user's details to decide whether a user can be given access to theInternet. Accounting is a method of collecting information on the use ofthe Internet by an end user which can be used for billing, auditing andreporting.

[0034] The firewall 18 protects the NAS 16 and the servers 22, 24 and 26from intrusion from users of the Internet 12.

[0035] In this example, the NAS 16, the firewall 18 and the servers 22,24 and 26 form an access server arrangement and belong to a singleorganisation. Because this organisation is responsible for providingaccess for end users to the Internet, the organisation is known as anInternet service provider. However, as will be described in more detailbelow, the server 24 can be modified so that it can also “proxy” orforward access request messages to other authentication and accountingservers. These other servers may belong to the same Internet serviceprovider as the authentication server 24 or to other Internet serviceproviders. Alternatively, the other servers may belong to the sameorganisation as the authentication server 24 but be managed separatelywithin that organisation. Where an access request message is forwardedto another server, then that server, rather than the server 24, isresponsible for authentication or accounting. Where the server 24 isserving the function of forwarding messages, rather than responding tothe messages itself, it is referred to as a proxy server.

[0036] Before an end user can gain access to the Internet 12, the enduser is usually given a user identifier and a password. The useridentifier and password are issued, online, by the registration server22 and these details are held in a database, not shown, which can beaccessed by the authentication and accounting server 24. Where anInternet service provider requires an end user to have a user identifierand a password, these details are checked by the authentication andaccounting server 24, during an authentication phase, before giving anend user access to the Internet 12. Some Internet service providers donot require the end user to have a user identifier or a password. In thecase of such Internet service providers, the authentication andaccounting server 24 usually checks some other detail, such as thenumber called by the end user's computer, before permitting access tothe Internet.

[0037] Where an end user has a user identifier and a password, thesequence of events which occur in responding to a request from the enduser's computer for access to the Internet 12 will now be described withreference to FIG. 2.

[0038] When the end user wishes to access the Internet 12, the computer10 dials the NAS 16. The PSTN 14 then provides a link between thecomputer 10 and the NAS 16. Traffic is carried over this link betweenthe computer 10 and the NAS 16 using the Point-to-Point Protocol (PPP)and two further protocols which are the Link Control Protocol (LCP) andthe Internet Protocol Control Protocol (IPCP). The LCP is responsiblefor configuring and testing the link between the computer 10 and the NAS16 and the IPCP is responsible for handling IP packets at each end ofthe link and negotiating the compression technique to be used.

[0039] When the link has been configured and tested, the computer 10sends a request for service message to the NAS 16. The NAS 16 then sendsa challenge message to the computer 10. The purpose of this message isto obtain the user's identifier and the user's password. On receivingthis message, the end user enters his or her details on the computer 10and the computer 10 then transmits these details to the NAS 16 in aresponse message. The password itself is transmitted using one of twoprotocols. These protocols are the Password Authentication Protocol(PAP) and the Challenge Handshake Authentication Protocol (CHAP). Bothof these protocols provide some security but CHAP is more secure thanPAP. These protocols are well known and will not be further described.

[0040] When the NAS 16 has received these details, it transmits anaccess-request message containing these details received from the enduser to the authentication and accounting server 24. The access-requestmessage also contains further details, such as an identifier for the NAS16 itself and the calling party's telephone number of the telephone lineused by computer 10.

[0041] The server 24 then checks the details received from the NAS 16against details held in the database. If the user's details do notcorrespond to the details held in the database, then the server 24 sendsan access-reject message to the NAS 16, which then terminates the call.If the details obtained from the computer 10 are as expected, then theserver 24 sends an access-accept message to the NAS 16. If the NAS 16receives an access-accept message, then it assigns an IP address to thecomputer 10, transmits this to the computer 10 in an assign IP addressmessage and then allows traffic to pass between the computer 10 and theInternet 12.

[0042] As mentioned above, some Internet service providers do notrequire an end user to have a user's identifier or password. When usinga service provided by such an Internet service provider, the sequenceoutlined above is modified as follows.

[0043] The computer 10 still sends a request for service message to theNAS 16 and the NAS 16 still sends a challenge message to the computer10. However, the response message from the computer 10 to the NAS 16will not contain a user identifier or a user password and so thesedetails are not included in the access-request message from the NAS 16to the server 24. However, the access-request message may contain someother information, for example the number dialled by the computer 10. Onreceiving the access-request message, the server 24 checks theinformation contained in the access-request message against expectedinformation. For example, it might check the number dialled by thecomputer 10 to see if the expected number was, in fact, dialled. If theinformation received from the NAS 16 corresponds to the expectedinformation, then an access-accept message is transmitted to the NAS 16,which then permits traffic between the computer 10 and Internet 12 asdescribed above. If the information received from the NAS 16 does notcorrespond to the expected information, the server 24 sends anaccess-reject message to the NAS 16. The NAS 16 then terminates thecall.

[0044] When an end user wishes to register with an Internet serviceprovider, then during registration the sequence of events describedabove is modified as follows. The end user's computer 10 still sends arequest for service message to the NAS 16 and the NAS 16 still sends achallenge message back to the computer 10. At this stage, the end useris unable to enter a user identifier or password and so the responsemessage cannot contain these details. These details are also absent fromthe access-request message sent by the NAS 16 to the server 24. As theaccess-request message contains neither a user identifier nor apassword, the server 24 interprets the access-request message as arequest for registration. It therefore sends an access-accept message tothe NAS 16 but the message contains an instruction to the NAS 16 toapply a filter to IP packets received from the computer 10. The NAS 16then assigns an IP address to the computer 10. The NAS 16 then permitstraffic from the computer 10 to pass through it but subject to thefilter. Normally, the filter would specify that only packets destinedfor the registration server 22, or received from this server, can passthrough the NAS 16. Consequently, the end user can then register withthe Internet service provider and thus obtain a user identifier andpassword.

[0045] Referring now to FIG. 3, immediately before the NAS 16 allowsInternet traffic to pass between the computer 10 and the Internet 12, itsends an accounting-start message to the server 24. The server 24 thenlogs the time at which the session is commencing and certain otherdetails relating to the end user. It also sends an access-responsemessage to the NAS 16. The user's Internet session then proceeds.Immediately after the session has terminated, the NAS 16 sends anaccounting-stop message to the server 24. The server 24 then logs thetime at which the session has ended and sends an accounting-responsemessage to the NAS 16. Accounting information is held for two purposes.Firstly, it provides basic information which allows a service providerto issue usage-based billing. Secondly it provides an audit trail of theuser's connection time, IP address and certain other details which maybe needed for legal reasons.

[0046] As mentioned above, the server 24 can be modified so as toforward access request messages to other servers for authentication andaccounting. Referring now to FIG. 4, there is shown an arrangement inwhich the server 24 can forward access request messages toauthentication server A (server 30), authentication server B (server 32)or authentication server C (server 34). Each of the servers 30, 32 and34 is capable of performing both authentication and accounting. Theserver 24 is still capable of authentication and accounting but will nowbe referred to as a proxy server as it is also capable of forwardingaccess request-messages. Servers A, B and C may belong to the sameInternet service provider as the Internet service provider which ownsthe NAS 16 and the proxy server 24 or to other Internet serversproviders. Alternatively, the servers A, B and C may belong to the sameInternet service provider as the NAS 16 and the proxy server 24 but bemanaged separately within that organisation. Although, by way ofexample, in FIG. 4 the proxy server 24 is capable of forwarding accessrequest messages to three other servers, it could of course be modifiedso as to forward such messages to a smaller or greater number ofservers. The proxy server 24 could also be arranged to instruct the NAS16 to form a tunnel to a home gateway. Home gateways are discussed belowwith reference to FIG. 10.

[0047] A simple procedure for handling access request messages in theproxy server 24 will now be described. In this simple procedure, whenthe proxy server 24 receives an access request message from the NAS 16containing a user identifier, it splits the user identifier into a username part and a domain part. This simple procedure can only be usedwhere all user identifiers received by the NAS 16 follow the samepattern. An example of such a pattern is n@d, where n is the value ofthe user name and d is the value for the domain. After splitting up theuser identifier into two parts, the proxy server 24 consults a databasetable. For each of the possible domains, this table specifies the serverwhich is responsible for performing authentication and accountingoperations in response to an access request message. If the relevantserver is the proxy server 24 itself, it performs authentication andaccounting as described above. If the appropriate server is one of theservers A, B and C, the proxy server 24 forwards the access requestmessage to the appropriate one of these servers. The appropriate serverthen performs authentication and sends a response message to the proxyserver 24 which, in turn, forwards it to the NAS 16. The NAS 16 thenprovides or denies the connection as specified in the response message.The server which has performed the authentication operation alsoperforms the accounting operation.

[0048] As described above, the simple procedure is only capable ofhandling access request messages in which all user identifiers followthe same pattern. Also, the simple procedure is limited to eitherperforming authentication and accounting in the proxy server 24 itselfor forwarding the access request message to one of the servers A, B andC for authentication and accounting. There will now be described, withreference to FIGS. 5 to 7, an improved procedure for handling accessrequest messages in which the user identifiers can follow severaldifferent patterns. The improved procedure also provides morepossibilities for handling access request messages. These possibilitiesinclude re-writing a user identifier before forwarding an access requestmessage to another server, providing different servers forauthentication and accounting, the provision of a default server in theevent that a server is unable to perform either authentication oraccounting, and handling an access request message which does notinclude a user identifier or password.

[0049] Referring now to FIG. 5, there is shown a table which has fivecolumns 41-45 and five rows 51-55. Each of the rows 51-55 contains arule which specifies how an access request message is to be handled bythe proxy server 24. The information which specifies how an accessrequest message is to be handled is contained in columns 43-45. When anaccess request message arrives at proxy server 24, the relevant rule hasto be identified and the information for doing this is contained incolumns 41 and 42. The procedure for identifying the relevant rule willnow be described and this will be followed by an explanation of thevarious possibilities, specified in the rules, for handling accessrequest messages.

[0050] When an access request message which contains a user identifierarrives at proxy server 24, the pattern of the user identifier in theaccess request message is compared with the patterns shown in column 41(headed “Pattern”) for each of rows 51-54 in turn. In the example shownin FIG. 5, the pattern shown in rows 51, 52 and 54 is of the type n@dand the pattern shown in row 53 is of the type n/d. When a match isfound between the pattern in the user identifier in the access requestmessage and a pattern in one of rows 51-54, the identified pattern isused to split the user identifier into the user name part and a domainpart.

[0051] Next, for an access request message which contains a useridentifier, the domain part of the user identifier is compared with thevalues given in column 42 (headed “Specified Attribute”) for each ofrows 51-54 until a match is found. The row in which the match is foundis then identified as containing the rule which specifies the procedurefor handling this particular access request message.

[0052] It should be noted that, in order to identify the relevant rule,both the pattern of the user identifier in an access request message andthe value of its domain must match, respectively, the pattern shown incolumn 41 and the value given for the domain in the same row in column42. For example, if a user identifier has a pattern n@d and the domainpart has a value bti.co.uk, then the relevant rule is specified in row54 rather than in row 53.

[0053] If the access request message does not contain a user identifier,then a match will not be found for any one of the patterns in column 41for rows 51-54. When a match is not found in any one of rows 51-54, thepattern of the calling number is checked against a pattern for thecalling number specified in column 41 of row 55. In this example, thespecified pattern is that the calling number is formed solely fromdigits. If a match is found between the pattern of the calling numberand the specified pattern, the calling number is compared with aspecified value in column 42 of row 55. If a match is found, then row 55is identified as containing the rule which specifies the procedure forhandling the access request.

[0054] The table shown in FIG. 5 could be expanded to include one ormore further columns which contain values for further attributes. Wherethere are one or more further columns, then the relevant row, and hencethe relevant rule, will be identified when the value of the domain partof the user identifier contained in the access request message and alsothe values of the relevant further attributes also match the valuesspecified in these columns.

[0055] By way of modification, the table shown in FIG. 5 could containrules for splitting up other attributes, for example the calling number,in the access request message.

[0056] After the relevant row, and hence the relevant rule has beenidentified, then the proxy server 24 consults column 43 (headed ProxyUser Identifier). The purpose of this column is to specify whether ornot the user identifier is to be written before forwarding an accessrequest message to another server. In this example shown in FIG. 5, ineach of rows 51, 52, 54 and 55, column 43 has an “=” sign. This denotesthat the user identifier is not re-written before forwarding the accessrequest message to another server. However, in row 53, the entry is“n@bti.com”. This is an instruction to re-write the user identifier fromthe form n/d to the form n@d and to use bti.com as the value for thedomain part of the user identifier.

[0057] Although not shown in FIG. 5, there can be two further columns,which are similar to column 43, which contain instructions forre-writing the user identifier for internal use within the proxy server24 for authentication and accounting.

[0058] After consulting column 43, the proxy server 24 then consultscolumn 44 (headed Authentication Route) and column 45 (headed AccountingRoute). These contain instructions for the route through to be followedfor authentication and accounting. In the present example, there arefour possible routes, namely routes 1 - 4. For example, it will be seenthat, in row 51, both the authentication and accounting routes are route2. In row 54, the authentication route is route 3 but the accountingroute is route 2. Thus the accounting and authentication routes can bedifferent. The details for each route are set out in the table shown inFIG. 6 and this table will now be described.

[0059] Referring now to FIG. 6, it will be seen that the table has fourcolumns 61-64. Column 61 (headed Route) gives the number of the route.It will be seen that there are four rows 71-74 corresponding to the fourdifferent routes. Generally, the number of rows will be equal to thenumber of possible routes.

[0060] The column 62 (headed Primary) gives the name of the server whichis the main or first choice for performing the relevant (authenticationor accounting) operation. Column 63 (headed Secondary) and column 64(headed Tertiary) give the first alternative and the second alternativechoice for performing the relevant operation in the event that theserver specified in column 62 is unable to perform the operation.

[0061] Thus, in row 71 (route 1), it will be seen that the first choicefor performing the relevant operation is the server A. If the server Ais unable to perform the operation, then as a default procedure, theserver B is instructed to perform the relevant operation. If the serverB is unable to perform the relevant operation, then as a furtherdefault, as indicated in column 64, the access request if rejected.

[0062] As shown in row 72 (route 2), it will be seen that the entry forthe first choice for performing the relevant operation is marked“local”. This is an instruction to perform the relevant operation in theproxy server 24 itself. In the case of route 2, there are no default oralternative choices for performing the relevant operation.

[0063] In the case of row 73 (route), it will be seen that the entry forthe first choice for performing the relevant operation is marked“accept”. This is simply an instruction to accept the access request.

[0064] In row 74 (route 4), it will be seen as the first choice forperforming the relevant operation for route 4 is server C. As shown inthe entry in column 63, it will be seen that the default action is toaccept the access request.

[0065] Referring back to FIG. 5, it is to be appreciated that furthercolumns could be added to provide further instructions for processing anaccess request message. For example, there could be an instruction forthe NAS 16 to apply a filter. This would have the effect of preventingthe end user from accessing certain addresses in the Internet 12.

[0066] The procedure for handling an access request message will now besummarised with reference to the flow chart shown in FIG. 7.

[0067] Initially, in step 80, the details relating to the end user arecompared with each one of a set of patterns in turn until a match isfound. As described above, this is performed by using the entries incolumn 41 of the table shown in FIG. 5. Then, in a step 81, the relevantrule is identified. In the example shown in FIG. 5, this is performed bycomparing the details relating to the end user with a specified valuefor one attribute for each rule in turn until a match is found. Then, instep 82, if appropriate, the user identifier is re-written beforeforwarding it to another server using the entries set out in column 43.In steps 83 and 84, the access request message is processed using theauthentication route as set out in column 44 and the accounting route asset out in column 45.

[0068] The procedure described with reference to FIGS. 5 to 7 can alsobe used with the network access arrangement shown in FIG. 1. However,when so used, the option of forwarding an access request to anotherserver is clearly not available.

[0069] Referring now back to FIG. 5, each of rows 51 to 55 contains arule for a particular access service provided by the NAS 16. The columns44 and 45 contain the routes for performing authentication for thevarious services. Thus, for the service of row 51, the primary choicefor both authentication and accounting is the proxy server 24. In thecase of the service of this row, there is no alternative choice ordefault procedure for authentication and accounting. In the case of theservice of row 52, the primary choice for both authentication andaccounting is the authentication server C. In the case of the service ofthis row, if the proxy server 24 sends an access request message to theauthentication server C but does not receive a response, the proxyserver 24 proceeds to the secondary choice, specified in column 63 ofFIG. 6, for dealing with the access request message from the NAS 16. Inthis case, the default action is to accept the access request andtherefore to send an access accept message back to NAS 16.

[0070] In the case of the service of row 53, the primary choice for bothauthentication and accounting is the authentication server A. If theproxy server 24 does not receive a response from an access requestmessage which it sends to authentication server A, then it proceeds tothe secondary choice specified in column 63 of FIG. 6. In this case, thesecondary choice or default action for dealing with the access requestmessage from NAS 16 is to forward the access request message to theauthentication server B.

[0071] In the case of the service of row 54, the primary, and only,action for dealing with authentication, is to accept the access requestmessage. In the case of the service of row 54, the primary and onlyaction for accounting, is to handle accounting locally in the proxyserver 24.

[0072] In the case of the services of rows 53 and 52, there will beoccasions when the primary choice for authentication and accountingfails. This may be caused, for example, by a brief interruption in thetransmission link between the proxy server 24 and either the server A orthe server C, or a brief failure or overload in either server A orserver C. In such situations, the default action specified in column 63should be sufficient to ensure that a satisfactory response can be sentby the proxy server 24 to the NAS 16.

[0073] However, in the case of the services of rows 53 and 52, therewill be occasions when either server A or server C fails to respond toan access request message from the proxy server 24 over a prolongedperiod. This could be caused either by a failure in the communicationslink between the proxy server 24 and either server A or server C or acomplete failure in either server A or server C. If such a failure doesoccur, then access request messages for the corresponding service willbe queued in proxy server 24 before they are handled by proxy server 24in accordance with the default action. If this happens, then the queueof access request messages in proxy server 24 for the relevant servicewill lengthen and proxy server 24 will be effectively saturated withthese requests. Consequently, the delay in sending a response to NAS 16will increase to the point at which it reaches the time out period ofNAS 16 for receiving a response. If this happens, NAS 16 will apply itsown default action which is to refuse access requests for the relevantservice. Clearly, this is unsatisfactory for the end users.

[0074] There will now be described with reference to FIG. 8 a processwhich is performed in the proxy server 24 for overcoming this problem.The process is performed for each access request message which relatesto a service for which the primary choice for handling theauthentication request message from the NAS 16 is to forward it toanother server and a separate process is performed for each suchservice. For each access request message from the NAS 16, this processis performed after step 81 shown in FIG. 7.

[0075] Referring now to FIG. 8, this process uses two software counters,namely counter A and counter B. Each of these counters is initially setto zero.

[0076] For each access request message, in an initial step, the value ofcounter A is compared with a threshold value in a step 100. If the valueof counter A is below the threshold value, then in a step 101, theaccess request message is forwarded to the appropriate authenticationserver, for example server A for server B. Then, in a step 102, theproxy server waits for a response from the appropriate authenticationserver. If a response is received, then counter A is decremented in astep 103 and the process then ends for this access request message.

[0077] If in step 102 no response is received from the relevantauthentication counter, then the default action is followed in a step103. As mentioned above, the default actions are shown in column 63 inFIG. 6. After step 103, counter A is incremented in a step 104 and theprocess then ends for this access request message.

[0078] In step 100, on the first occasion that it is found that thevalue in counter A equals the threshold value, then counter B is set toa threshold value. As will be seen, this threshold value represents thenumber of access request messages for which default action is followedbefore another attempt is made to forward an access request message tothe relevant authentication server.

[0079] After step 100, the default action is followed in a step 105 andthe counter B is then decremented in a step 106. As mentioned above, thedefault actions are shown in column 63 in FIG. 6.

[0080] Then, in a step 107, if the value in counter B does not equalzero, the process ends for this request message. If the value in counterB does equal zero, then in a step 108, counter A is decremented. Theresult of this is that the next access request message will be forwardedto the relevant authentication server. The process then ends for thisaccess request message.

[0081] Thus, in the normal course of events, the value in counter Afluctuates up and down between zero and its threshold value as long asthe relevant authentication server is handling nearly all of the accessrequest messages which are forwarded to it. However, when there is afailure, then the default action is followed for a number of accessrequest messages equal to the threshold value of counter B.

[0082] As a result of following this process, in the event that one ofthe authentication servers fails to respond for a prolonged period, theproxy server 24 does not saturate and sends a response to the NAS 16 foreach access message before the time out period is reached.

[0083] Although the process shown in FIG. 8 has been described withreference to handling access request messages, it can also be used foraccounting. In order to achieve this, the default action shown in step105 includes the default action for accounting as well as forauthentication.

[0084] Referring back to FIG. 4, the organisation which manages thenetwork access server 16 and the proxy server 24 may be separate fromthe organisations which manage the authentication servers A, B and C. Anorganisation which manages one of the servers A, B or C may wish, onsome occasions, to specify a filter in an access accept message. Where afilter is applied by the network access server 16, then traffic from theend users computer 10 to the Internet 12 is restricted to one or morespecified addresses.

[0085] The RADIUS protocol mentioned above does include a field forspecifying a filter. Unfortunately, the vendors of network accessservers tend to provide their own proprietary methods. Consequently, itis usually not possible to specify a filter using the attribute field inthe RADIUS protocol and this creates difficulties in specifying a filterin an access accept message transmitted by one of the authenticationservers A, B and C.

[0086] Also, the organisations which manage the servers A, B and C maywish to have the opportunity to specify both static and dynamic filters.A static filter consists of a named item which has to be configured andagreed prior to use. For example, a static filter might be configured torestrict access just to a registration server. In contrast, a dynamicfilter does not have to be agreed in advance and specifies that accessis to be restricted to either a single address or a range of addresses.Unfortunately, the attribute field in the RADIUS protocol does not coverthe possibility of specifying a dynamic filter. Consequently, it isdifficult to specify a dynamic filter in an access accept messageproduced by one of the servers A, B or C.

[0087] There will now be described a process which permits theauthentication servers A, B and C to specify both static and dynamicfilters in an access accept message and without having knowledge of thetype of network access server which will be used to make a connectionbetween an end-user's computer and the Internet.

[0088] In this process a standard protocol is agreed between theorganisation which manages the proxy server 24 and the organisationswhich manage the servers A, B and C. This protocol permits theauthentication servers A, B and C to specify both static and dynamicfilters. It specifies the format for each type of filter. In thisexample, an access accept message can specify either a static filter orup to 10 dynamic filters. It cannot specify both static and dynamicfilters. As will be explained, the proxy server 24 translates a filterspecified in an access request message in to the protocol used by thenetwork access server 16. Although FIG. 4 shows only a single accessserver 16, in a more complicated arrangement, the proxy server 24 mayreceive access request messages from several clusters of network accessservers provided by several different vendors.

[0089] In this process, on receiving an accept accept message containinga filter identifier, the proxy server 24 performs the operation shown inFIG. 9.

[0090] Referring now to FIG. 9, in a step 150, the proxy server 24receives an access accept message containing a filter identifier.

[0091] Then, in a step 151, the proxy server 24 checks that the filteridentifier is valid. As mentioned above, a mixture of static and dynamicfilters is not permitted. Therefore, if a filter identifier contains amixture of static and dynamic filters, it is found invalid. Also, asmentioned above, if a filter identifier specifies more than 10 dynamicfilters it is found invalid. Also, the proxy server 24 checks that eachfilter is specified in the correct format. If an incorrect format isused, then the filter identifier is found invalid.

[0092] If the filter identifier is valid, then the proxy server 24performs step 152. In this step, it translates the filter identifierfrom the standard protocol to the protocol used by NAS16. For example,in the standard protocol, each dynamic filter is specified in the form;

[0093] a.b.c.d/n.

[0094] In this format “a.b.c.d” represent an IP address and “n”represents the number of bits of that address which are to be enforced.Thus, if n=32, the whole address is to be enforced. If n has a valueless than 32, then only the appropriate part of the address is to beenforced.

[0095] In the case of network access servers manufactured by Cisco, adynamic filter includes the term: “a.b.c.d.X.Y.Z.T”. The interpretationof this is that access is to be restricted to an address range, thelower limit of which is X.Y.Z.T and the upper limit of which is a.b.c.d.

[0096] After performing the translation in step 152, in a step 153 theaccess accept message is forwarded to the NAS16 with a filter identifierin the protocol used by NAS16.

[0097] If in step 151 it is found that the filter identifier is notvalid, then a default action is applied in a step 154. The defaultaction can be agreed between the organisation which manages the proxyserver 24 and the relevant authentication server a, b or c in advance.The two possibilities for the default action are to forward an accessaccept message without a filter or to forward an access reject messageto the network access server 16.

[0098] This process has the advantage that the servers A, B and C canspecify filters without any knowledge of the type of network accessserver which will be used to form a connection. Also, both static anddynamic filters can be specified.

[0099] Referring now to FIG. 10, there is shown another arrangement forconnecting computers operated by end users to the public Internet. Thisarrangement includes two clusters of network access servers 200, 201connected to a private data network 202. The private data network 202 issimilar to the private data network 20 described with reference toFIG. 1. Two authentication servers 203, 204 and a home gateway 205 arealso connected to the private data network 202.

[0100] As will be described below, the home gateway 205 can connectcomputers operated by end users to the public Internet 206. The homegateway 205 is also connected to a second private data network 210,which is similar to the private data network 20 described with referenceto FIG. 1. A proxy server 211 and two authentication servers 212 and 213are also connected to the data network 210.

[0101] In this example, the network access servers 200, 201, theauthentication servers 203, 204, the home gateway 205 and the proxyserver 211 are managed by one organisation and the two authenticationservers 212 and 213 are managed by separate organisations.

[0102] The network access servers 200, 201 connect computers operated bysome end users directly to the public Internet. However, computersoperated by other end users are connected to the public Internet via thehome gateway 205.

[0103] When one of the network access servers 200, 201 receives anaccess request from a computer operated by an end user, it forwards theaccess request to one of the authentication servers 203, 204. If thecomputer making the request is to be connected to the public Internetvia the home gateway 205, then the relevant authentication server 203 or204 sends an instruction to the relevant network access server to builda connection or tunnel to the home gateway 205 for the computer whichhas made the access request. The network access server then builds atunnel to the home gateway 205. There are a number of differenttunnelling protocols to do this. One of these is the so called L2TP(Layer Two Tunnelling Protocol). This protocol is supported by mostnetwork access server vendors.

[0104] After forming the tunnel to the home gateway 205, the networkaccess server then forwards the access request message to the homegateway 205. The home gateway 205 is also a virtual network accessserver. On receiving the access request, it forwards it to the proxyserver 211. The proxy server 211 then selects one of the authenticationservers 212, 213 and forwards the access request to the selectedauthentication server. The selected authentication server 212 or 213processes the access request and sends a response to the proxy server211. The response will be either an access accept or access rejectmessage. The proxy server 211 then forwards a response to the homegateway 205. The home gateway 205 then either allows or denies theaccess request in accordance with a response from the proxy server 211.If the home gateway 205 allows the request, then the end user isconnected to the Internet 206 through relevant one of the network accessservers 200 or 201 and the home gateway 205.

[0105] In the arrangement shown in FIG. 10, the proxy server 211 canperform the processes which have been described above with reference toFIGS. 5 to 9.

1. A method of processing a request at an access server arrangement fora data terminal operated by an end user for access to a data network,said method comprising the steps of: receiving a request from the dataterminal at the access server arrangement for access to the datanetwork; in the event that a predetermined criterion is not satisfied:(i) attempting to forward the access request to an authenticationserver; (ii) if a response is received from the authentication server,dealing with the access request in accordance with the response; and(iii) if a response is not received from the authentication server,dealing with the access request in accordance with a default procedure;and in the event that the predetermined criterion is satisfied, dealingwith the access request in accordance with a default procedure.
 2. Amethod as claimed in claim 1, including the additional step of:selecting an authentication server from a plurality of authenticationservers in accordance with the value of at least one attribute containedin the access request; and in said step of attempting to forward theaccess request, an attempt is made to forward the access request to theselected authentication server.
 3. A method as claimed in claim 1, inwhich the network access arrangement includes a proxy server, the proxyserver being responsible for forwarding an access request to anauthentication server, receiving any response from the authenticationserver, and, if appropriate, handling an access request in accordancewith the default procedure.
 4. A method as claimed in any one of claims1 to 3, in which the predetermined criterion is satisfied if there arerepetitive failures to receive a response from an authentication server.5. A method as claimed in any one of the preceding claims, whichincludes the following steps: if a response is not received from anauthentication server, changing the value held in a counter by one unitin one direction; and if a response is received from an authenticationserver, changing the value held in the counter by one unit in the otherdirection; and the predetermined criterion is reached when the valueheld in the counter has progressed in said one direction to apredetermined threshold.
 6. A method as claimed in claim 5, in which, inthe event that the counter has reached said predetermined threshold, themethod includes steps of performing the default procedure for apredetermined number of times, then changing the value held in thecounter by one unit in the other direction, then making an attempt toforward the next access request to the authentication server.
 7. Anetwork access server configured to operate according to the method ofany one of the preceding claims.
 8. A network including at least onenetwork access server according to claim 7 and one or more of saidauthentication servers.